Bug 2066700: RBAC replace wildcards for tuned.openshift.io apiGroup

[dagrayvid]

This PR is intended to fix RHBZ#2066700.

For an initial draft, I am replacing the wildcards with the full set of resources and verbs in the tuned.openshift.io apiGroup. I plan to experiment with removing some of the verbs, especially from the cluster-node-tuning:tuned clusterRole.

[jmencak]

Thank you for the PR, David! This looks mostly good. However, as we decided to tighten the RBAC rules, we probably should tighten them further. For example, the operand itself will never delete and create Tuneds/Profiles. Also, it should never update Tuneds, just Profiles (statuses). As for deletecollection, do we need this at all for operator/operand? So let's do a full review and keep only those needed.

[jmencak]

This PR is intended to fix RHBZ#2066664.

It is actually intended to fix rhbz#2066700. Let's update the description, please. Also, I'm not sure this is all that needs to be done to fix that BZ, perhaps @sreber84 can comment.

[dagrayvid]

Thank you for the PR, David! This looks mostly good. However, as we decided to tighten the RBAC rules, we probably should tighten them further. For example, the operand itself will never delete and create Tuneds/Profiles. Also, it should never update Tuneds, just Profiles (statuses). As for deletecollection, do we need this at all for operator/operand? So let's do a full review and keep only those needed.

Thanks Jiri. I do plan to tighten the rules before removing the (WIP) from the PR, but your hints are appreciated!

This PR is intended to fix RHBZ#2066664.

It is actually intended to fix rhbz#2066700. Let's update the description, please. Also, I'm not sure this is all that needs to be done to fix that BZ, perhaps @sreber84 can comment.

Good catch. Sorry about that.

I opened this PR as a WIP as a lazy way to run the e2e test suite, and I'm surprised to see that both the e2e-aws and e2e-aws-operator test failed bootstrapping on "operator conditions node-tuning", with the co/node-tuning status being null.

[dagrayvid]

/retest

I have been unable to reproduce this failure so far... maybe a potential flake to investigate, but seems unrelated to the PR changes.

[openshift-ci]

@dagrayvid: This pull request references Bugzilla bug 2066700, which is invalid:

• expected the bug to target the "4.11.0" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 2066700: RBAC replace wildcards for tuned.openshift.io apiGroup

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[dagrayvid]

/bugzilla refresh

[dagrayvid]

/retest-required

[openshift-ci]

@dagrayvid: This pull request references Bugzilla bug 2066700, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.11.0) matches configured target release for branch (4.11.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

No GitHub users were found matching the public email listed for the QA contact in Bugzilla (liqcui@redhat.com), skipping review request.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jmencak]

/test e2e-aws-operator

[jmencak]

/retest

[dagrayvid]

e2e-aws failure does not look related to NTO.

/retest

[openshift-ci]

@dagrayvid: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[jmencak]

Thank you for the PR David. I've tested this outside of CI and I didn't see any issues in the operator/operand logs. Also e2e tests pass.

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dagrayvid, jmencak

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jmencak]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@dagrayvid: All pull requests linked via external trackers have merged:

• openshift/cluster-node-tuning-operator#333

Bugzilla bug 2066700 has been moved to the MODIFIED state.

In response to this:

Bug 2066700: RBAC replace wildcards for tuned.openshift.io apiGroup

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.